Linux Kernel KFENCE-Allocated SKB Head Cross-Cache Free Vulnerability

A vulnerability in the Linux kernel's handling of socket buffer (SKB) heads allocated with KFENCE enabled has been fixed. The issue arose because SKB_SMALL_HEAD_CACHE_SIZE is set to a non-power-of-2 value to prevent collisions with generic kmalloc bucket sizes. This allows skb_kfree_head() to accurately distinguish between SKB heads from the small head cache and those from generic kmalloc caches. However, with KFENCE enabled, the kfence_ksize() function returns the exact allocation size instead of the slab bucket size. If a caller allocates SKB head data via kzalloc() and the size matches SKB_SMALL_HEAD_CACHE_SIZE, it leads to a misclassification. This causes skb_kfree_head() to incorrectly free the object to the small head cache instead of the original kmalloc cache, resulting in a slab cross-cache free error. The vulnerability has been addressed by modifying skb_kfree_head() to always call kfree(head), ensuring a generic free path that avoids allocator-specific errors for KFENCE objects.

Impact

Exploiting this vulnerability could lead to a slab cross-cache free error, where an object is freed to the wrong slab cache, potentially causing memory corruption issues.

Reproduction

The vulnerability can be reproduced by allocating SKB head data using kzalloc() with a size that equals SKB_SMALL_HEAD_CACHE_SIZE, while KFENCE is enabled. This will cause the skb_kfree_head() function to incorrectly free the SKB head to the small head cache, instead of the original kmalloc cache, creating a cross-cache free situation.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.